Ransomware gangs are getting more ruthless to increase the pressure on their victims. Now, even swatting cancer patients seems to be on the table.

Ransomware groups are liars, yes, but even when these dangerous cybercriminals would ransack organizations and destroy entire companies, a few select groups espoused a sort of “honor among thieves.” According to those few groups, their cybercriminal actions would never include organizations actively involved in healthcare, such as hospitals.

But, as can be expected from ransomware groups, these were nothing but lies. The million-dollar criminal operations, awash with cash, are still vulnerable to greed.

LockBit has claimed the recent attack on Capital Health. And even though LockBit claims they did not encrypt the hospitals files, the hospitals and physicians’ offices experienced IT outages that forced them to resort to emergency protocols designed for system outages. Several surgeries were moved to later dates and outpatient radiology appointments were canceled.

Unfortunately, we have seen these type of disruptions in healthcare before. And despite promises, we expect to see them again.

But in an even more brutal turn of events, a ransomware group is crossing another line, and resorted to threatening physical violence against patients. As fewer organizations are willing to pay the ransom, it seems the ransomware operators have lost all human decency (admittedly, it’s hard to believe they ever had any).

Again, we have seen ransomware groups turn on people who had their data stolen before. It’s an extra type of leverage to get the target organization to pay the ransom. Integris Health for example, an organization which operates a network of 15 hospitals and 43 clinics, reported that some of their patients received emails threatening to sell their information on the dark web.

But in the case of Seattle’s Fred Hutchinson Cancer Center, the criminals have taken it even a few steps further and threatened to “swat” hospital patients.

Swatting is where someone makes a hoax emergency call to law enforcement in order to get armed police (in reference to US “Special Weapons And Tactics” teams) to target a particular address. Over time, swatting has evolved from a dangerous type of prank to a cybercrime that can be ordered as a service.

Swatting is dangerous because of the potential consequences. Not only does it take emergency services away from their actual tasks, but there have been swatting incidents that had fatal consequences.

Once the Fred Hutchinson Cancer Center became aware of the cybercriminals’ swatting threats, they immediately notified the FBI and Seattle police. Let’s hope this reduces the potential dangers involved in swatting.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Exposing the ransomware lie to “leave hospitals alone” 

Apple may be found negligent in an Airtags stalking lawsuit, but it has made improvements that may help potential victims

Each year, an estimated 13.5 million people in the US are victim to stalking. This is a worrying fact stated in the introduction of a lawsuit against Apple brought by stalking victims who charge that AirTags empowered their abusers.

AirTags are marketed as trackers that allow you to easily find lost belongings like keys and luggage. If you lose an object, you can find the AirTag in the Find My app on another Apple device. The tracker transmits its location via Ultra Wideband technology which is more accurate than Bluetooth when it comes to determining exact location. Since the tracker shares its location with the Apple devices of others, you can also find your AirTag over large distances.

AirTags are relatively cheap ($29), small (1.29”/3.19 cm) and can run for about a year before they need the battery replaced. This makes them an ideal tool for stalkers—they just need to attach one to something that they expect you to keep with you.

An important part of a negligence claim is whether the manufacture could have foreseen the issue—in this case, the stalking issue. This shouldn’t be a problem since lots of people were screaming from the rooftops that Apple was basically putting out a product for stalkers.

From the suit:

> “Prior to and upon the AirTag’s release, advocates and technologists urged the company to rethink the product and to consider its inevitable use in stalking. In response, Apple heedlessly forged ahead, dismissing concerns and pointing to mitigation featured that it claimed rendered the devices ‘stalker proof.'”

One plaintiffs’ lawyer argued that Apple did not make it possible, at the time the victim was stalked, for people being followed to locate an unwanted AirTag.

When the judge asked what Apple could have done better, the lawyer acknowledged that Apple has since made many fixes, but victims should have been alerted they were being subjected to unwanted tracking more quickly.

**How do the improvements Apple made help victims?**

Since AirTags were introduced, Apple has made some changes that can help potential stalking victims.

The most important one is that someone is now able to find out if an AirTag that they don’t own is moving with them over time.

On iPhones and iPads this is enabled by default, but it doesn’t hurt to check, especially if somoene may have had access to your device.

To make sure these options are enabled:

*   Go **to Settings** **\> Privacy & Security** > **Location Services**: Location Services should be on
*   Under **Location Services** > **System Services** > **Find My iPhone/iPad**: Significant Locations should be on.
*   Under **Settings** you also need to make sure you’re not in **Airplane Mode** and **Bluetooth** is on.
*   Open the **Find My** app, open the **Me** tab, and make sure **Tracking Notifications** are turned on.

If an unknown AirTag is following you, you’ll see an alert like this:

In the Find My app, you’ll be able to see how long the AirTag has been with you and you can use the Play Sound option to have the tracker emit a noise, which can help you find it.

For Android owners, Google has created a similar anti-stalking feature. Please note that the path to find the appropriate settings may vary with vendors and Android versions, but this should give you a good idea:

*   Select **Settings** \> **Safety and emergency** \> **Unknown tracker alerts**. Here you can allow alerts and do a manual scan for nearby trackers.

An unknown tracker alert is sent when someone else’s tracker device is separated from them and detected to be traveling with you and out of Bluetooth range from the owner. You can trigger any found AirTag to make a sound and you’ll be able to see how long it’s been with you on a map.

There are plans to broaden the scope of the tracker alerts besides AirTags. Companies including Samsung, Tile, Chipolo, Eufy, and Pebblebee have expressed interest in supporting this technology.

We’ll keep an eye on the lawsuit and let you know how it progresses.

 AirTags stalking lawsuit alleges Apple&#8217;s negligence in protecting victims 

A list of topics we covered in the week of January 1 to January 7 of 2024

January 7, 2024 - UK Police are investigating a sexual assault on the avatar of a girl aged under 16 that caused psychological trauma.

January 7, 2024 - People using LLMs for bug bounty hunts are wasting developers' time argues the lead developer of cURL. And he's probably right.

January 7, 2024 - Researchers have found flaws in the way SMTP servers handle messages, allowing them to send spoofed emails to and from targets.

January 4, 2024 - Facebook has announced it will roll out a new option called Link History to mobile users around the world. What does that mean?

January 4, 2024 - 23andMe has responded in a letter to legal representatives of data breach victims that they were to blame themselves for re-using passwords

 A week in security (January 1 &#8211; January 7) 

UK Police are investigating a sexual assault on the avatar of a girl aged under 16 that caused psychological trauma.

British police are investigating a case involving a virtual sexual assault of a girl’s avatar. Even though there was no physical violence involved the incident will be investigated as it has caused psychological trauma.

By definition, an avatar is a virtual representation of a user and is driven by the user’s movements in the virtual world. In Virtual Reality (VR) an avatar is placed, behaves, and moves like a physical body.

In the investigation, a girl under the age of 16 was playing a VR game when the avatars of online strangers gang raped her avatar. The VR experience is designed to be completely immersive. For example, we’ve all seen those “funny” movies where people wreck their television set because they loose contact with reality because what they see through their VR headset is so believable. So, it’s not very hard to imagine how much of an impact the incident had on the girl.

The BBC reports that the incident left her very distraught. According to an unnamed senior officer familiar with the matter, the victim suffered psychological trauma “similar to that of someone who has been physically raped”.

Whether it is possible to punish the attackers remains to be seen. As we all know, laws always trail behind when it comes to new technological developments. For an actual assault or rape case there needs to have been physical contact.

The incident should at least be considered as a good reason to:

*   Start thinking about legislation that can deal with these sort of incidents.
*   Create platforms that can provide a safe environment, especially for children.

It is possible to utilize existing laws, for example against the creation of synthetic child abuse images, which could be used as the basis of prosecutions in virtual world cases, but specialized laws would make court proceedings a lot easier.

According to the Daily Mail Online, police leaders are now calling for legislation to tackle a wave of sexual offending online, saying officers’ tactics must evolve to stop perverts using new technology to exploit children.

Details about the specific platform have not been released. But it’s certain that the new technology has led to new variations of existing types of crime like the theft of rare game artifacts, fraud, and sexual offenses. Unfortunately, some people feel they can behave like savages when they are hiding behind their virtual identity.

Billions of dollars are invested in developing the metaverse, an umbrella term for virtual worlds, and to attract new VR users. We hope to see some of those dollars invested in safety precautions, which will keep the experience safe for everyone.

For parents looking for guidance on how to keep their children safe on the internet, we recommend reading **Internet Safety Tips for Kids, Teens and Parents**.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Police investigate sexual assault on an avatar 

People using LLMs for bug bounty hunts are wasting developers' time argues the lead developer of cURL. And he's probably right.

Bug bounty programs that pay people for finding bugs are a very useful tool for improving the security of software. But with the availability of artificial intelligence (AI) as seen in the popular large language models (LLMs) like ChatGPT, Bard, and others it looks like there is a new problem on the horizon.

Bounty hunters are using LLMs not only to translate or proofread their reports, but also to find bugs.

Daniel “Haxx” Stenberg of cURL explains in a blogpost why he sees this as a possible problem. CURL is a computer software project providing a library and command-line tool for transferring data using various network protocols. The name stands for Client for URL. Daniel is the original author and currently the lead developer.

He argues that, for some reason, bug bounty programs also attract fortune seekers that are looking for a quick buck without putting in the necessary work. According to Stenberg, developers could easily filter out these fortune seekers before they had access to LLMs.

The source of the problem lies in the bad habit of some LLMs to “hallucinate.” LLM hallucinations is the name for the events in which LLMs produce output that is coherent and grammatically correct but factually incorrect or nonsensical.

This is a problem for developers because they can often discard nonsensical reports from humans only after a short examination. But reports generated by AI look coherent, so they waste a lot more time.

In the mystery of the CVE’s that are not vulnerabilities we saw how the automated submission of bugs had raised issues before that wasted a lot of developer time. Time the developer would like to use to fix real bugs or work on new features. As Daniel put it:

> “A security report can take away a developer from fixing a really annoying bug. because a security issue is always more important than other bugs. If the report turned out to be crap, we did not improve security and we missed out time on fixing bugs or developing a new feature. Not to mention how it drains you on energy having to deal with rubbish.”

This is especially annoying when the person that submitted the bug is unable to respond to additional queries in a way that clarifies the issue. Which is often the case since that person has no idea why the LLM flagged the submission as a bug in the first place.

In several areas people are working on tools that can recognize content created by AI, but these are not a full solution to this particular problem. Bug bounty hunters also use LLMs to translate their submissions from their native language to English. Which is often very helpful. But if a recognition tool were to discard all those submissions, they might end up ignoring a serious security vulnerability just because the bounty hunter wanted to submit a report in perfect English.

In the future, AI will undoubtedly proove to be useful in finding software bugs, but we expect these tools will be deployed by the developers themselves before the software goes live.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 How AI hallucinations are making bug hunting harder 

Researchers have found flaws in the way SMTP servers handle messages, allowing them to send spoofed emails to and from targets.

SMTP smuggling is a technique that allows an attacker to send an email from pretty much any address they like. The intended goal is email spoofing—sending emails with false sender addresses. Email spoofing allows criminals to make malicious emails more believable.

Let’s take a closer look at what it is exactly, and how cybercriminals can use it.

The first thing we need to look at is the Simple Mail Transfer Protocol (SMTP), a protocol that allows the exchange of emails. Mail servers and other message transfer agents use SMTP to send and receive mail messages.

SMTP is very much a protocol that has developed over time since it became the standard for always-online servers in the 1980s.

Basically, an email is written using software like Microsoft Outlook or Apple Mail and is then handed over to an SMTP server. The server looks up the appropriate mail server for the domain in the recipient’s address—the part on the right side of the @ symbol, and sends the mail to that server.

It sometimes takes a few steps, but if all goes well the email will be received by the SMTP server that handles the mail for the recipient. This server may deliver the messages directly to storage, or forward it over a network using SMTP before it reaches the recipient.

Simplified, the process looks like this:

Image courtesy of SEC Consult

Image courtesy of SEC Consult

Image courtesy of SEC Consult

Since SMTP lacks authentication it used to be extremely easy to spoof a sender address. Several safeguards emerged to stop this:

*   SPF (Sender Policy Framework): This uses DNS records to indicate to receiving mail servers which IP addresses are authorized to send mail for a given domain. So this still leaves the work to the receiving server.
*   DKIM (Domain Key Identified Mail): This method signs outgoing emails using a private key. Receiving servers validate the sender using the sending server’s public key,.
*   DMARC (Domain-based Message Authentication, Reporting, and Conformance): DMARC verifies if the email’s “From” domain aligns with SPF checks and/or DKIM signatures. Thus, the DMARC check fails if there is a mismatch between the MAIL FROM and the From domain where otherwise the SPF check would pass. Unfortunately DMARC is not very widely used.

**SMTP smuggling**

SMTP smuggling takes advantage of inconsistencies in the way that proxy servers and firewalls handle SMTP traffic.

Traditionally, the end of data in an SMTP conversation is indicated by a sequence <CR><LF>.<CR><LF> (CR LF stands for Carriage Return and Line Feed, which are standard text delimiters) which can also be written as \r\n.\r\n.

Researchers published about two types of SMTP smuggling, inbound and outbound. They started working from the question, what happens if outbound and inbound SMTP servers interpret the end-of-data sequence (<CR><LF>.<CR><LF>) differently?

If you can tell one server the email ends here and the other one that the full packet ends later, you can create a compartment in which you can smuggle more data.

So, the researchers started testing by putting a <LF>.<LF>  sequence in the middle of sent packages. And they found that outbound SMTP servers have different methods of dealing with it, including:

*   Dot-stuffing (Escaping the single dot with another dot):  <LF>..<LF> 
*   Replacing it with a <CR><LF> 
*   Encoding it (e.g., via quoted-printable): =0A.=0A 
*   Removing the entire sequence 
*   Not sending the message 
*   Or do nothing at all

By testing, which included sending specially constructed messages from and to different email providers, the researchers were able to find combinations that allowed them to send two email messages in one package. The sequence <LF>.<CR><LF> turned out to be effective on a custom SMTP server called NemesisSMTPd which is in use by email services provided by Ionos (e.g. GMX) which accounts for about a million hosted domains.

Image courtesy of SEC Consult

Some vendors (Microsoft and GMX) were quick to fix the vulnerabilities that facilitated SMTP smuggling, but the researchers urge companies using the also affected Cisco Secure Email product to manually update their vulnerable default configuration. The Cisco flaw affects more than 40,000 vulnerable instances and allows an attacker to send spoofed emails to high-value targets, such as Amazon, PayPal, eBay, and the IRS.

The recommendation by the researchers tells organizations using Cisco Secure Email Gateway (on premises) or Cisco Secure Email Cloud Gateway (cloud) to change the default settings of “CR and LF Handling” from “Clean” to “Allow,” citing Cisco guidelines to help administrators understand the change that should be made.

That may sound counterproductive, but this setting passes e-mails with bare carriage returns or line feeds on to the actual e-mail server (Cisco Secure Email Gateway is just a gateway), which only interprets <CR><LF>.<CR><LF> as end-of-data sequence. So, if you don’t want to receive spoofed e-mails with valid DMARC checks, we highly recommend changing your configuration.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Explained: SMTP smuggling 

Facebook has announced it will roll out a new option called Link History to mobile users around the world. What does that mean?

In what seems like yet another attempt to adapt its platform to prepare for new regulations, Facebook has started rolling out a new feature called Link History.

Link History allows users to view and re-visit links they have visited with their Facebook browsing activity.

Obviously Facebook will tell us that the new feature is for its users’ benefit, but we can see several ways in which this benefits Meta even more. The only positive for me is that it could be a handy option for finding that thing that you saw on Facebook that one time, but you can’t quite remember the details. This gets defeated partially by the fact that users that have Link History enabled report they were unable to see the Link History page at all when looking at Facebook on their laptop.

However, as Facebook tracking goes at least this is an option that you have some control over. On most, if not all, popular websites you’ll find Meta’s and other’s tracking pixels. With an ongoing battle against cookies and other trackers, this may be a new way for Facebook to track its user’s behavior.

With Link History, Facebook now has another separate place where it stores details about the websites you visit along with the settings to control that data. Settings that are, deliberately or not, hard to find and easy to misinterpret.

The company itself says:

> “When you allow link history, we may use your information to improve your ads across Meta technologies.”

Translated, this means that they will use the information to provide you with targeted ads.

Recently Meta got sued over coercing users to pay to stop tracking. Organizations concerned about our privacy say that by doing this, Meta has changed the user’s choices from “yes or no” to “pay or okay.”

Research in 2022 showed that in-app browsers inject JavaScript code into third party websites that cause potential security and privacy risks to the user. This resulted in a class-action complaint against Meta in San Francisco’s federal court, alleging the company built a secret workaround to Apple’s safeguards that protect iPhone users from tracking.

So this may be another attempt to follow users around on the web. Unlike on your desktop, clicking a link in Facebook, or Instagram, will open a special browser built into the app, rather than the default browser of the device.

For now, a limited number of Android and iPhone users will see this option appear in the Facebook Mobile Browser. But the company says it will roll out the option globally over time.

**How to turn link history on or off**

Link history is turned on by default so you will have to opt-out if you don’t want it.

1.  Tap any link inside the Facebook app to open Facebook’s Mobile Browser.
2.  Tap the three dots (more actions) in the bottom right, then tap **Go to Settings**.
3.  To turn link history on, tap the slider to on (blue) next to **Allow link history**, then tap **Allow** to confirm.
4.  To turn link history off, tap the slider to off (grey) next to **Allow link history**, then tap **Don’t allow** to confirm. 

**Note**: When you turn link history off, this will immediately clear your link history, and you will no longer be able to see any links you’ve visited. Facebook promises to delete the link history it’s created for you within 90 days.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Facebook introduces another way to track you &#8211; Link History 

23andMe has responded in a letter to legal representatives of data breach victims that they were to blame themselves for re-using passwords

In a surprising move, in a letter to legal representatives of victims of the recent 23andMe data breach, the company has laid the blame at the feet of victims themselves.

23andMe even goes as far as to claim that this wasn’t a data breach at 23andMe at all. The reasoning:

> “… unauthorized actors managed to access certain user accounts in instances where users recycled their own login credentials—that is, users used the same usernames and passwords used on 23andMe.com as on other websites that had been subject to prior security breaches, and users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

In other words, it was their own fault since they re-used their passwords for services that were breached in the past. Accessing accounts on a website by using lists of usernames and passwords exposed on another is known as “credential stuffing”, and it’s both common and effective. It works because users often use the same password for multiple websites.

What 23andMe seems to have forgotten is that only 14,000 accounts were breached by credential stuffing. Afterwards, the attackers used those accounts to access a much larger trove of data via 23andMe’s feature called DNA Relatives which matches users with their genetic relatives.

So, in what was only made possible by 23andMe, customers who didn’t re-use their passwords and even had 2FA enabled still saw their data stolen. This resulted in the data of as many as seven million 23andMe customers being offered for sale on criminal forums.

It’s the second time the company has attempted to downplay the incident. In its first communication about the incident, 23andMe claimed the stolen data did not include genomic sequencing data.  Later, the company acknowledged that for a subset of these accounts, the stolen data might indeed contain health-related information based upon the user’s genetics.

The data in a file found by BleepingComputer contained information including 23andMe users’ account IDs, full names, sex, date of birth, DNA profiles, location, and region details.

As a result, at least four class action complaints were submitted in California seeking relief for the damage done by 23andMe’s failure to protect customer data. The lawsuits focus on different failures on 23andMe’s side to guard the safety of sensitive data, communicate appropriately about the incident, and monitor its network for abnormal activity.

In its defense, 23andMe reasons that customers re-used their passwords, gave permission to share data with **other users** on 23andMe’s platform, and that the medical information was non-substantive.

I put the emphasis on “other users” in order to point out a flaw in 23andMe’s reasoning—agreeing to share with other users is hardly the same as agreeing to share with a data thief. Without knowing the exact details of what happened, we feel that monitoring would indeed have raised alerts about abnormal activity and allowed them to stop the breach earlier. As it seems now, 23andMe only became aware of a problem when someone offered the data up for sale.

Whatever the judges may decide in the end, it’s looking like 23andMe has shown a lot of disregard for its customers’ privacy and the level of sensitivity of the data.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.**Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 23andMe blames &#8220;negligent&#8221; breach victims, says it’s their own fault 

Microsoft decided to disable App Installer links by default after it noticed several access brokers using the handler to spread malware.

In what might be conceived as one of Microsoft’s new year resolutions, it has disclosed that it’s turned off the ms-appinstaller protocol handler by default. The change is designed to make installing apps easier, but it also makes installing malware easier.

Typically, an app needs to be on a device before it can be installed, which normally means that a user has to download it first. To save time and disk space, Microsoft introduced the ability to install applications directly from a web server, without downloading it first. It relies on links that use the ms-appinstaller URI (Uniform Resource Identifier) scheme, which are handled by App Installer rather than a web browser. When software is installed this way users don’t see SmartScreen or browser warnings about downloaded executables.

Microsoft reports that it observed malicious activity where criminals tricked users into installing malware using ms-appinstaller links, allowing them to bypass mechanisms like SmartScreen that are designed to keep users safe.

Several cybercriminals were found selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. They distribute signed malicious MSIX application packages using websites accessed through malicious advertisements for legitimate popular software.

The abuse was first noticed in November 2023. Several known groups were using it in different scenarios, all of which lead users to landing pages that mimicked legitimate software vendor sites, where the malware was available via ms-appinstaller links or malicious MSIX installers.

Cybercriminals used four different techniques to spread their malware:

*   **SEO poisoning**. Users who searched for legitimate software applications on Bing or Google were presented with search results for malicious landing pages.
*   **Malvertising**. Users searching for software were directed to malicious landing pages via search ads mimicking legitimate vendors.
*   **Teams messages**. Users were sent messages over Microsoft teams linking to malicious landing pages.
*   **Social engineering**. Microsoft showed an example of an employement opportunity site that tricked visitors into installing malware by saying it was a new PDF reader version that was required in order to view a document.

The criminal groups identified as using these methods were all initial access brokers (IABs). IABs are individuals or organizations that specialise in providing ransomware gangs with access to company networks.

Malicious installers can be spotted by looking at the publisher information in the ms-appinstaller prompt.

Image courtesy of Microsoft

To manually disable ms-appinstaller on your network, set the Group Policy EnableMSAppInstallerProtocol to disabled.

**How to avoid ransomware**

*   **Block common forms of entry.** Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
*   **Prevent intrusions.** Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
*   **Detect intrusions.** Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption.** Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups.** Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Microsoft disables ms-appinstaller after malicious use 

Europols’s spotlight report ‘Online fraud schemes: a web of deceit’, identifies investment fraud as a major threat.

Europols’s spotlight report ‘Online fraud schemes: a web of deceit’, looks into online fraud schemes—a major crime threat in the EU and beyond—and one of the report’s primary themes is investment fraud.

But first I want to share some more remarkable conclusions from the report:

*   Charity scams that prey on concern about international conflicts and natural disasters are becoming more prevalent.
*   Fraudsters are evolving their techniques and increasingly re-target fraud victims.
*   The social engineering techniques used by fraudsters are growing in complexity.
*   Logical attacks on ATMs still occur in the EU, with criminal networks testing ways to exploit new vulnerabilities.
*   It also notes the increasing use of “shimming” attacks where an attacker intercepts communication between a card and card reader’s chip interface, and then relays it to another device.

Investment fraud and business e-mail compromise (BEC) fraud remain the most prolific online fraud schemes. Criminal networks involved in these schemes pose a high threat, given their level of organization and resilience. This conclusion matches that of the 2022 Internet Crime Report produced by the FBI’s Internet Crime Complaint Center (IC3), which attributed almost $84 million dollars to BEC and over $75 million to investment fraud.

Europol found that criminal networks involved on investment fraud show great levels of adaptability by constantly refining and improving their methods and leveraging new investment products that are in high demand.

Preying on one of the most basic human flaws, investment scams and other get-rich-quick schemes are making up an ever larger portion of the online scammers’ cake. And the scammers are very much aware that a large amount of money can be made, and they are more than willing to invest in the tools that make their fraud look more trustworthy.

Investment fraudsters look for victims on social media platforms. But they also use e-mail, advertisements on websites, and instant messaging to trigger a potential victim’s interest. When a victim starts to ask questions, the criminals come up with reasons why funds can’t be withdrawn, such as fees or state taxes. To top things off, they will tell the victim they need more money in order to release their funds.

Criminal networks involved in investment fraud make extensive use of call centers. These call centers operate in different languages and the operators are not necessarily aware of the criminal activities behind the work they do.

One of the preferred tactics of investment fraud is the pyramid scheme, where victims are encouraged to recruit more participants. But another method resembles that of romance scams where the criminal builds a relationship with the victim.

Popular investment opportunities offered by the criminals include stocks, cryptocurrencies, and pension funds. The most reported investment fraud products in the EU are cryptocurrencies. The IC3 report mentions for example:

> “Cryptocurrency support impersonators: Increasingly, crypto owners are falling victim to scammers impersonating support or security from cryptocurrency exchanges. Owners are alerted of an issue with their crypto wallet and are convinced to either give access to their crypto wallet or transfer the contents of their wallet to another wallet to “safeguard” the contents.”

To re-target victims the criminals pose as lawyers or members of law enforcement claiming they can help victims to get the lost money back.

**Recognizing investment scams**

We are by no means financial experts, but we have seen too many good people lose money on Ponzi schemes, rug-pulls, and fake Initial Coin Offerings (ICOs), so we feel it is our job to keep you safe, and warn against these types of online investment frauds.

We realize that it is hard to tell investment scams apart from some of the more legitimate offers that are thrown at us in commercials every day. But we do want to hand you a few easy-to-follow rules to keep your money in your own hands:

*   Treat calls, texts, mails, and other advice out of the blue with extreme caution.
*   Don’t judge a book by its cover. Investment scams can often afford to look good.
*   Make sure to read the fine print. Understand what you are getting into.
*   If it sounds too good to be true, it usually isn’t true.
*   Very high returns usually come with extremely high risks. Your money may sometimes even be better off in a casino.
*   When you are urged to act now, remember that while _some_ legitimate opportunities want you to hurry, scammers _always_ want you to hurry.
*   Don’t get turned into a money mule or money launderer.

Still not convinced? I have this piece of land on Venus, that I would be willing to part with for the right price. But you will need to act fast.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source

Malwarebytes